1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright 2002-2005, Instant802 Networks, Inc. 4 * Copyright 2005-2006, Devicescape Software, Inc. 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 * Copyright (C) 2015-2017 Intel Deutschland GmbH 9 * Copyright (C) 2018-2024 Intel Corporation 10 * 11 * element parsing for mac80211 12 */ 13 14 #include <net/mac80211.h> 15 #include <linux/netdevice.h> 16 #include <linux/export.h> 17 #include <linux/types.h> 18 #include <linux/slab.h> 19 #include <linux/skbuff.h> 20 #include <linux/etherdevice.h> 21 #include <linux/if_arp.h> 22 #include <linux/bitmap.h> 23 #include <linux/crc32.h> 24 #include <net/net_namespace.h> 25 #include <net/cfg80211.h> 26 #include <net/rtnetlink.h> 27 #include <kunit/visibility.h> 28 29 #include "ieee80211_i.h" 30 #include "driver-ops.h" 31 #include "rate.h" 32 #include "mesh.h" 33 #include "wme.h" 34 #include "led.h" 35 #include "wep.h" 36 37 struct ieee80211_elems_parse { 38 /* must be first for kfree to work */ 39 struct ieee802_11_elems elems; 40 41 /* The basic Multi-Link element in the original elements */ 42 const struct element *ml_basic_elem; 43 44 /* The reconfiguration Multi-Link element in the original elements */ 45 const struct element *ml_reconf_elem; 46 47 /* 48 * scratch buffer that can be used for various element parsing related 49 * tasks, e.g., element de-fragmentation etc. 50 */ 51 size_t scratch_len; 52 u8 *scratch_pos; 53 u8 scratch[] __counted_by(scratch_len); 54 }; 55 56 static void 57 ieee80211_parse_extension_element(u32 *crc, 58 const struct element *elem, 59 struct ieee80211_elems_parse *elems_parse, 60 struct ieee80211_elems_parse_params *params) 61 { 62 struct ieee802_11_elems *elems = &elems_parse->elems; 63 const void *data = elem->data + 1; 64 bool calc_crc = false; 65 u8 len; 66 67 if (!elem->datalen) 68 return; 69 70 len = elem->datalen - 1; 71 72 switch (elem->data[0]) { 73 case WLAN_EID_EXT_HE_MU_EDCA: 74 if (params->mode < IEEE80211_CONN_MODE_HE) 75 break; 76 calc_crc = true; 77 if (len >= sizeof(*elems->mu_edca_param_set)) 78 elems->mu_edca_param_set = data; 79 break; 80 case WLAN_EID_EXT_HE_CAPABILITY: 81 if (params->mode < IEEE80211_CONN_MODE_HE) 82 break; 83 if (ieee80211_he_capa_size_ok(data, len)) { 84 elems->he_cap = data; 85 elems->he_cap_len = len; 86 } 87 break; 88 case WLAN_EID_EXT_HE_OPERATION: 89 if (params->mode < IEEE80211_CONN_MODE_HE) 90 break; 91 calc_crc = true; 92 if (len >= sizeof(*elems->he_operation) && 93 len >= ieee80211_he_oper_size(data) - 1) 94 elems->he_operation = data; 95 break; 96 case WLAN_EID_EXT_UORA: 97 if (params->mode < IEEE80211_CONN_MODE_HE) 98 break; 99 if (len >= 1) 100 elems->uora_element = data; 101 break; 102 case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME: 103 if (len == 3) 104 elems->max_channel_switch_time = data; 105 break; 106 case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION: 107 if (len >= sizeof(*elems->mbssid_config_ie)) 108 elems->mbssid_config_ie = data; 109 break; 110 case WLAN_EID_EXT_HE_SPR: 111 if (params->mode < IEEE80211_CONN_MODE_HE) 112 break; 113 if (len >= sizeof(*elems->he_spr) && 114 len >= ieee80211_he_spr_size(data)) 115 elems->he_spr = data; 116 break; 117 case WLAN_EID_EXT_HE_6GHZ_CAPA: 118 if (params->mode < IEEE80211_CONN_MODE_HE) 119 break; 120 if (len >= sizeof(*elems->he_6ghz_capa)) 121 elems->he_6ghz_capa = data; 122 break; 123 case WLAN_EID_EXT_EHT_CAPABILITY: 124 if (params->mode < IEEE80211_CONN_MODE_EHT) 125 break; 126 if (ieee80211_eht_capa_size_ok(elems->he_cap, 127 data, len, 128 params->from_ap)) { 129 elems->eht_cap = data; 130 elems->eht_cap_len = len; 131 } 132 break; 133 case WLAN_EID_EXT_EHT_OPERATION: 134 if (params->mode < IEEE80211_CONN_MODE_EHT) 135 break; 136 if (ieee80211_eht_oper_size_ok(data, len)) 137 elems->eht_operation = data; 138 calc_crc = true; 139 break; 140 case WLAN_EID_EXT_EHT_MULTI_LINK: 141 if (params->mode < IEEE80211_CONN_MODE_EHT) 142 break; 143 calc_crc = true; 144 145 if (ieee80211_mle_size_ok(data, len)) { 146 const struct ieee80211_multi_link_elem *mle = 147 (void *)data; 148 149 switch (le16_get_bits(mle->control, 150 IEEE80211_ML_CONTROL_TYPE)) { 151 case IEEE80211_ML_CONTROL_TYPE_BASIC: 152 if (elems_parse->ml_basic_elem) { 153 elems->parse_error |= 154 IEEE80211_PARSE_ERR_DUP_NEST_ML_BASIC; 155 break; 156 } 157 elems_parse->ml_basic_elem = elem; 158 break; 159 case IEEE80211_ML_CONTROL_TYPE_RECONF: 160 elems_parse->ml_reconf_elem = elem; 161 break; 162 default: 163 break; 164 } 165 } 166 break; 167 case WLAN_EID_EXT_BANDWIDTH_INDICATION: 168 if (params->mode < IEEE80211_CONN_MODE_EHT) 169 break; 170 if (ieee80211_bandwidth_indication_size_ok(data, len)) 171 elems->bandwidth_indication = data; 172 calc_crc = true; 173 break; 174 case WLAN_EID_EXT_TID_TO_LINK_MAPPING: 175 if (params->mode < IEEE80211_CONN_MODE_EHT) 176 break; 177 calc_crc = true; 178 if (ieee80211_tid_to_link_map_size_ok(data, len) && 179 elems->ttlm_num < ARRAY_SIZE(elems->ttlm)) { 180 elems->ttlm[elems->ttlm_num] = (void *)data; 181 elems->ttlm_num++; 182 } 183 break; 184 } 185 186 if (crc && calc_crc) 187 *crc = crc32_be(*crc, (void *)elem, elem->datalen + 2); 188 } 189 190 static u32 191 _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params, 192 struct ieee80211_elems_parse *elems_parse, 193 const struct element *check_inherit) 194 { 195 struct ieee802_11_elems *elems = &elems_parse->elems; 196 const struct element *elem; 197 bool calc_crc = params->filter != 0; 198 DECLARE_BITMAP(seen_elems, 256); 199 u32 crc = params->crc; 200 201 bitmap_zero(seen_elems, 256); 202 203 for_each_element(elem, params->start, params->len) { 204 const struct element *subelem; 205 u8 elem_parse_failed; 206 u8 id = elem->id; 207 u8 elen = elem->datalen; 208 const u8 *pos = elem->data; 209 210 if (check_inherit && 211 !cfg80211_is_element_inherited(elem, 212 check_inherit)) 213 continue; 214 215 switch (id) { 216 case WLAN_EID_SSID: 217 case WLAN_EID_SUPP_RATES: 218 case WLAN_EID_FH_PARAMS: 219 case WLAN_EID_DS_PARAMS: 220 case WLAN_EID_CF_PARAMS: 221 case WLAN_EID_TIM: 222 case WLAN_EID_IBSS_PARAMS: 223 case WLAN_EID_CHALLENGE: 224 case WLAN_EID_RSN: 225 case WLAN_EID_ERP_INFO: 226 case WLAN_EID_EXT_SUPP_RATES: 227 case WLAN_EID_HT_CAPABILITY: 228 case WLAN_EID_HT_OPERATION: 229 case WLAN_EID_VHT_CAPABILITY: 230 case WLAN_EID_VHT_OPERATION: 231 case WLAN_EID_MESH_ID: 232 case WLAN_EID_MESH_CONFIG: 233 case WLAN_EID_PEER_MGMT: 234 case WLAN_EID_PREQ: 235 case WLAN_EID_PREP: 236 case WLAN_EID_PERR: 237 case WLAN_EID_RANN: 238 case WLAN_EID_CHANNEL_SWITCH: 239 case WLAN_EID_EXT_CHANSWITCH_ANN: 240 case WLAN_EID_COUNTRY: 241 case WLAN_EID_PWR_CONSTRAINT: 242 case WLAN_EID_TIMEOUT_INTERVAL: 243 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 244 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 245 case WLAN_EID_CHAN_SWITCH_PARAM: 246 case WLAN_EID_EXT_CAPABILITY: 247 case WLAN_EID_CHAN_SWITCH_TIMING: 248 case WLAN_EID_LINK_ID: 249 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 250 case WLAN_EID_RSNX: 251 case WLAN_EID_S1G_BCN_COMPAT: 252 case WLAN_EID_S1G_CAPABILITIES: 253 case WLAN_EID_S1G_OPERATION: 254 case WLAN_EID_AID_RESPONSE: 255 case WLAN_EID_S1G_SHORT_BCN_INTERVAL: 256 /* 257 * not listing WLAN_EID_CHANNEL_SWITCH_WRAPPER -- it seems possible 258 * that if the content gets bigger it might be needed more than once 259 */ 260 if (test_bit(id, seen_elems)) { 261 elems->parse_error |= 262 IEEE80211_PARSE_ERR_DUP_ELEM; 263 continue; 264 } 265 break; 266 } 267 268 if (calc_crc && id < 64 && (params->filter & (1ULL << id))) 269 crc = crc32_be(crc, pos - 2, elen + 2); 270 271 elem_parse_failed = 0; 272 273 switch (id) { 274 case WLAN_EID_LINK_ID: 275 if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) { 276 elem_parse_failed = 277 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 278 break; 279 } 280 elems->lnk_id = (void *)(pos - 2); 281 break; 282 case WLAN_EID_CHAN_SWITCH_TIMING: 283 if (elen < sizeof(struct ieee80211_ch_switch_timing)) { 284 elem_parse_failed = 285 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 286 break; 287 } 288 elems->ch_sw_timing = (void *)pos; 289 break; 290 case WLAN_EID_EXT_CAPABILITY: 291 elems->ext_capab = pos; 292 elems->ext_capab_len = elen; 293 break; 294 case WLAN_EID_SSID: 295 elems->ssid = pos; 296 elems->ssid_len = elen; 297 break; 298 case WLAN_EID_SUPP_RATES: 299 elems->supp_rates = pos; 300 elems->supp_rates_len = elen; 301 break; 302 case WLAN_EID_DS_PARAMS: 303 if (elen >= 1) 304 elems->ds_params = pos; 305 else 306 elem_parse_failed = 307 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 308 break; 309 case WLAN_EID_TIM: 310 if (elen >= sizeof(struct ieee80211_tim_ie)) { 311 elems->tim = (void *)pos; 312 elems->tim_len = elen; 313 } else 314 elem_parse_failed = 315 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 316 break; 317 case WLAN_EID_VENDOR_SPECIFIC: 318 if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 && 319 pos[2] == 0xf2) { 320 /* Microsoft OUI (00:50:F2) */ 321 322 if (calc_crc) 323 crc = crc32_be(crc, pos - 2, elen + 2); 324 325 if (elen >= 5 && pos[3] == 2) { 326 /* OUI Type 2 - WMM IE */ 327 if (pos[4] == 0) { 328 elems->wmm_info = pos; 329 elems->wmm_info_len = elen; 330 } else if (pos[4] == 1) { 331 elems->wmm_param = pos; 332 elems->wmm_param_len = elen; 333 } 334 } 335 } 336 break; 337 case WLAN_EID_RSN: 338 elems->rsn = pos; 339 elems->rsn_len = elen; 340 break; 341 case WLAN_EID_ERP_INFO: 342 if (elen >= 1) 343 elems->erp_info = pos; 344 else 345 elem_parse_failed = 346 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 347 break; 348 case WLAN_EID_EXT_SUPP_RATES: 349 elems->ext_supp_rates = pos; 350 elems->ext_supp_rates_len = elen; 351 break; 352 case WLAN_EID_HT_CAPABILITY: 353 if (params->mode < IEEE80211_CONN_MODE_HT) 354 break; 355 if (elen >= sizeof(struct ieee80211_ht_cap)) 356 elems->ht_cap_elem = (void *)pos; 357 else 358 elem_parse_failed = 359 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 360 break; 361 case WLAN_EID_HT_OPERATION: 362 if (params->mode < IEEE80211_CONN_MODE_HT) 363 break; 364 if (elen >= sizeof(struct ieee80211_ht_operation)) 365 elems->ht_operation = (void *)pos; 366 else 367 elem_parse_failed = 368 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 369 break; 370 case WLAN_EID_VHT_CAPABILITY: 371 if (params->mode < IEEE80211_CONN_MODE_VHT) 372 break; 373 if (elen >= sizeof(struct ieee80211_vht_cap)) 374 elems->vht_cap_elem = (void *)pos; 375 else 376 elem_parse_failed = 377 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 378 break; 379 case WLAN_EID_VHT_OPERATION: 380 if (params->mode < IEEE80211_CONN_MODE_VHT) 381 break; 382 if (elen >= sizeof(struct ieee80211_vht_operation)) { 383 elems->vht_operation = (void *)pos; 384 if (calc_crc) 385 crc = crc32_be(crc, pos - 2, elen + 2); 386 break; 387 } 388 elem_parse_failed = 389 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 390 break; 391 case WLAN_EID_OPMODE_NOTIF: 392 if (params->mode < IEEE80211_CONN_MODE_VHT) 393 break; 394 if (elen > 0) { 395 elems->opmode_notif = pos; 396 if (calc_crc) 397 crc = crc32_be(crc, pos - 2, elen + 2); 398 break; 399 } 400 elem_parse_failed = 401 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 402 break; 403 case WLAN_EID_MESH_ID: 404 elems->mesh_id = pos; 405 elems->mesh_id_len = elen; 406 break; 407 case WLAN_EID_MESH_CONFIG: 408 if (elen >= sizeof(struct ieee80211_meshconf_ie)) 409 elems->mesh_config = (void *)pos; 410 else 411 elem_parse_failed = 412 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 413 break; 414 case WLAN_EID_PEER_MGMT: 415 elems->peering = pos; 416 elems->peering_len = elen; 417 break; 418 case WLAN_EID_MESH_AWAKE_WINDOW: 419 if (elen >= 2) 420 elems->awake_window = (void *)pos; 421 break; 422 case WLAN_EID_PREQ: 423 elems->preq = pos; 424 elems->preq_len = elen; 425 break; 426 case WLAN_EID_PREP: 427 elems->prep = pos; 428 elems->prep_len = elen; 429 break; 430 case WLAN_EID_PERR: 431 elems->perr = pos; 432 elems->perr_len = elen; 433 break; 434 case WLAN_EID_RANN: 435 if (elen >= sizeof(struct ieee80211_rann_ie)) 436 elems->rann = (void *)pos; 437 else 438 elem_parse_failed = 439 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 440 break; 441 case WLAN_EID_CHANNEL_SWITCH: 442 if (elen != sizeof(struct ieee80211_channel_sw_ie)) { 443 elem_parse_failed = 444 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 445 break; 446 } 447 elems->ch_switch_ie = (void *)pos; 448 break; 449 case WLAN_EID_EXT_CHANSWITCH_ANN: 450 if (elen != sizeof(struct ieee80211_ext_chansw_ie)) { 451 elem_parse_failed = 452 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 453 break; 454 } 455 elems->ext_chansw_ie = (void *)pos; 456 break; 457 case WLAN_EID_SECONDARY_CHANNEL_OFFSET: 458 if (params->mode < IEEE80211_CONN_MODE_HT) 459 break; 460 if (elen != sizeof(struct ieee80211_sec_chan_offs_ie)) { 461 elem_parse_failed = 462 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 463 break; 464 } 465 elems->sec_chan_offs = (void *)pos; 466 break; 467 case WLAN_EID_CHAN_SWITCH_PARAM: 468 if (elen < 469 sizeof(*elems->mesh_chansw_params_ie)) { 470 elem_parse_failed = 471 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 472 break; 473 } 474 elems->mesh_chansw_params_ie = (void *)pos; 475 break; 476 case WLAN_EID_WIDE_BW_CHANNEL_SWITCH: 477 if (params->mode < IEEE80211_CONN_MODE_VHT) 478 break; 479 480 if (!params->action) { 481 elem_parse_failed = 482 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 483 break; 484 } 485 486 if (elen < sizeof(*elems->wide_bw_chansw_ie)) { 487 elem_parse_failed = 488 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 489 break; 490 } 491 elems->wide_bw_chansw_ie = (void *)pos; 492 break; 493 case WLAN_EID_CHANNEL_SWITCH_WRAPPER: 494 if (params->mode < IEEE80211_CONN_MODE_VHT) 495 break; 496 if (params->action) { 497 elem_parse_failed = 498 IEEE80211_PARSE_ERR_UNEXPECTED_ELEM; 499 break; 500 } 501 /* 502 * This is a bit tricky, but as we only care about 503 * a few elements, parse them out manually. 504 */ 505 subelem = cfg80211_find_elem(WLAN_EID_WIDE_BW_CHANNEL_SWITCH, 506 pos, elen); 507 if (subelem) { 508 if (subelem->datalen >= sizeof(*elems->wide_bw_chansw_ie)) 509 elems->wide_bw_chansw_ie = 510 (void *)subelem->data; 511 else 512 elem_parse_failed = 513 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 514 } 515 516 if (params->mode < IEEE80211_CONN_MODE_EHT) 517 break; 518 519 subelem = cfg80211_find_ext_elem(WLAN_EID_EXT_BANDWIDTH_INDICATION, 520 pos, elen); 521 if (subelem) { 522 const void *edata = subelem->data + 1; 523 u8 edatalen = subelem->datalen - 1; 524 525 if (ieee80211_bandwidth_indication_size_ok(edata, 526 edatalen)) 527 elems->bandwidth_indication = edata; 528 else 529 elem_parse_failed = 530 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 531 } 532 break; 533 case WLAN_EID_COUNTRY: 534 elems->country_elem = pos; 535 elems->country_elem_len = elen; 536 break; 537 case WLAN_EID_PWR_CONSTRAINT: 538 if (elen != 1) { 539 elem_parse_failed = 540 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 541 break; 542 } 543 elems->pwr_constr_elem = pos; 544 break; 545 case WLAN_EID_CISCO_VENDOR_SPECIFIC: 546 /* Lots of different options exist, but we only care 547 * about the Dynamic Transmit Power Control element. 548 * First check for the Cisco OUI, then for the DTPC 549 * tag (0x00). 550 */ 551 if (elen < 4) { 552 elem_parse_failed = 553 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 554 break; 555 } 556 557 if (pos[0] != 0x00 || pos[1] != 0x40 || 558 pos[2] != 0x96 || pos[3] != 0x00) 559 break; 560 561 if (elen != 6) { 562 elem_parse_failed = 563 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 564 break; 565 } 566 567 if (calc_crc) 568 crc = crc32_be(crc, pos - 2, elen + 2); 569 570 elems->cisco_dtpc_elem = pos; 571 break; 572 case WLAN_EID_ADDBA_EXT: 573 if (elen < sizeof(struct ieee80211_addba_ext_ie)) { 574 elem_parse_failed = 575 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 576 break; 577 } 578 elems->addba_ext_ie = (void *)pos; 579 break; 580 case WLAN_EID_TIMEOUT_INTERVAL: 581 if (elen >= sizeof(struct ieee80211_timeout_interval_ie)) 582 elems->timeout_int = (void *)pos; 583 else 584 elem_parse_failed = 585 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 586 break; 587 case WLAN_EID_BSS_MAX_IDLE_PERIOD: 588 if (elen >= sizeof(*elems->max_idle_period_ie)) 589 elems->max_idle_period_ie = (void *)pos; 590 break; 591 case WLAN_EID_RSNX: 592 elems->rsnx = pos; 593 elems->rsnx_len = elen; 594 break; 595 case WLAN_EID_TX_POWER_ENVELOPE: 596 if (elen < 1 || 597 elen > sizeof(struct ieee80211_tx_pwr_env)) 598 break; 599 600 if (elems->tx_pwr_env_num >= ARRAY_SIZE(elems->tx_pwr_env)) 601 break; 602 603 elems->tx_pwr_env[elems->tx_pwr_env_num] = (void *)pos; 604 elems->tx_pwr_env_len[elems->tx_pwr_env_num] = elen; 605 elems->tx_pwr_env_num++; 606 break; 607 case WLAN_EID_EXTENSION: 608 ieee80211_parse_extension_element(calc_crc ? 609 &crc : NULL, 610 elem, elems_parse, 611 params); 612 break; 613 case WLAN_EID_S1G_CAPABILITIES: 614 if (params->mode != IEEE80211_CONN_MODE_S1G) 615 break; 616 if (elen >= sizeof(*elems->s1g_capab)) 617 elems->s1g_capab = (void *)pos; 618 else 619 elem_parse_failed = 620 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 621 break; 622 case WLAN_EID_S1G_OPERATION: 623 if (params->mode != IEEE80211_CONN_MODE_S1G) 624 break; 625 if (elen == sizeof(*elems->s1g_oper)) 626 elems->s1g_oper = (void *)pos; 627 else 628 elem_parse_failed = 629 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 630 break; 631 case WLAN_EID_S1G_BCN_COMPAT: 632 if (params->mode != IEEE80211_CONN_MODE_S1G) 633 break; 634 if (elen == sizeof(*elems->s1g_bcn_compat)) 635 elems->s1g_bcn_compat = (void *)pos; 636 else 637 elem_parse_failed = 638 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 639 break; 640 case WLAN_EID_AID_RESPONSE: 641 if (params->mode != IEEE80211_CONN_MODE_S1G) 642 break; 643 if (elen == sizeof(struct ieee80211_aid_response_ie)) 644 elems->aid_resp = (void *)pos; 645 else 646 elem_parse_failed = 647 IEEE80211_PARSE_ERR_BAD_ELEM_SIZE; 648 break; 649 default: 650 break; 651 } 652 653 if (elem_parse_failed) 654 elems->parse_error |= elem_parse_failed; 655 else 656 __set_bit(id, seen_elems); 657 } 658 659 if (!for_each_element_completed(elem, params->start, params->len)) 660 elems->parse_error |= IEEE80211_PARSE_ERR_INVALID_END; 661 662 return crc; 663 } 664 665 static size_t ieee802_11_find_bssid_profile(const u8 *start, size_t len, 666 struct ieee802_11_elems *elems, 667 struct cfg80211_bss *bss, 668 u8 *nontransmitted_profile) 669 { 670 const struct element *elem, *sub; 671 size_t profile_len = 0; 672 bool found = false; 673 674 if (!bss || !bss->transmitted_bss) 675 return profile_len; 676 677 for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID, start, len) { 678 if (elem->datalen < 2) 679 continue; 680 if (elem->data[0] < 1 || elem->data[0] > 8) 681 continue; 682 683 for_each_element(sub, elem->data + 1, elem->datalen - 1) { 684 u8 new_bssid[ETH_ALEN]; 685 const u8 *index; 686 687 if (sub->id != 0 || sub->datalen < 4) { 688 /* not a valid BSS profile */ 689 continue; 690 } 691 692 if (sub->data[0] != WLAN_EID_NON_TX_BSSID_CAP || 693 sub->data[1] != 2) { 694 /* The first element of the 695 * Nontransmitted BSSID Profile is not 696 * the Nontransmitted BSSID Capability 697 * element. 698 */ 699 continue; 700 } 701 702 memset(nontransmitted_profile, 0, len); 703 profile_len = cfg80211_merge_profile(start, len, 704 elem, 705 sub, 706 nontransmitted_profile, 707 len); 708 709 /* found a Nontransmitted BSSID Profile */ 710 index = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX, 711 nontransmitted_profile, 712 profile_len); 713 if (!index || index[1] < 1 || index[2] == 0) { 714 /* Invalid MBSSID Index element */ 715 continue; 716 } 717 718 cfg80211_gen_new_bssid(bss->transmitted_bss->bssid, 719 elem->data[0], 720 index[2], 721 new_bssid); 722 if (ether_addr_equal(new_bssid, bss->bssid)) { 723 found = true; 724 elems->bssid_index_len = index[1]; 725 elems->bssid_index = (void *)&index[2]; 726 break; 727 } 728 } 729 } 730 731 return found ? profile_len : 0; 732 } 733 734 static void 735 ieee80211_mle_get_sta_prof(struct ieee80211_elems_parse *elems_parse, 736 u8 link_id) 737 { 738 struct ieee802_11_elems *elems = &elems_parse->elems; 739 const struct ieee80211_multi_link_elem *ml = elems->ml_basic; 740 ssize_t ml_len = elems->ml_basic_len; 741 const struct element *sub; 742 743 for_each_mle_subelement(sub, (u8 *)ml, ml_len) { 744 struct ieee80211_mle_per_sta_profile *prof = (void *)sub->data; 745 ssize_t sta_prof_len; 746 u16 control; 747 748 if (sub->id != IEEE80211_MLE_SUBELEM_PER_STA_PROFILE) 749 continue; 750 751 if (!ieee80211_mle_basic_sta_prof_size_ok(sub->data, 752 sub->datalen)) 753 return; 754 755 control = le16_to_cpu(prof->control); 756 757 if (link_id != u16_get_bits(control, 758 IEEE80211_MLE_STA_CONTROL_LINK_ID)) 759 continue; 760 761 if (!(control & IEEE80211_MLE_STA_CONTROL_COMPLETE_PROFILE)) 762 return; 763 764 /* the sub element can be fragmented */ 765 sta_prof_len = 766 cfg80211_defragment_element(sub, 767 (u8 *)ml, ml_len, 768 elems_parse->scratch_pos, 769 elems_parse->scratch + 770 elems_parse->scratch_len - 771 elems_parse->scratch_pos, 772 IEEE80211_MLE_SUBELEM_FRAGMENT); 773 774 if (sta_prof_len < 0) 775 return; 776 777 elems->prof = (void *)elems_parse->scratch_pos; 778 elems->sta_prof_len = sta_prof_len; 779 elems_parse->scratch_pos += sta_prof_len; 780 781 return; 782 } 783 } 784 785 static void ieee80211_mle_parse_link(struct ieee80211_elems_parse *elems_parse, 786 struct ieee80211_elems_parse_params *params) 787 { 788 struct ieee802_11_elems *elems = &elems_parse->elems; 789 struct ieee80211_mle_per_sta_profile *prof; 790 struct ieee80211_elems_parse_params sub = { 791 .mode = params->mode, 792 .action = params->action, 793 .from_ap = params->from_ap, 794 .link_id = -1, 795 }; 796 ssize_t ml_len = elems->ml_basic_len; 797 const struct element *non_inherit = NULL; 798 const u8 *end; 799 800 ml_len = cfg80211_defragment_element(elems_parse->ml_basic_elem, 801 elems->ie_start, 802 elems->total_len, 803 elems_parse->scratch_pos, 804 elems_parse->scratch + 805 elems_parse->scratch_len - 806 elems_parse->scratch_pos, 807 WLAN_EID_FRAGMENT); 808 809 if (ml_len < 0) 810 return; 811 812 elems->ml_basic = (const void *)elems_parse->scratch_pos; 813 elems->ml_basic_len = ml_len; 814 elems_parse->scratch_pos += ml_len; 815 816 if (params->link_id == -1) 817 return; 818 819 ieee80211_mle_get_sta_prof(elems_parse, params->link_id); 820 prof = elems->prof; 821 822 if (!prof) 823 return; 824 825 /* check if we have the 4 bytes for the fixed part in assoc response */ 826 if (elems->sta_prof_len < sizeof(*prof) + prof->sta_info_len - 1 + 4) { 827 elems->prof = NULL; 828 elems->sta_prof_len = 0; 829 return; 830 } 831 832 /* 833 * Skip the capability information and the status code that are expected 834 * as part of the station profile in association response frames. Note 835 * the -1 is because the 'sta_info_len' is accounted to as part of the 836 * per-STA profile, but not part of the 'u8 variable[]' portion. 837 */ 838 sub.start = prof->variable + prof->sta_info_len - 1 + 4; 839 end = (const u8 *)prof + elems->sta_prof_len; 840 sub.len = end - sub.start; 841 842 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 843 sub.start, sub.len); 844 _ieee802_11_parse_elems_full(&sub, elems_parse, non_inherit); 845 } 846 847 static void 848 ieee80211_mle_defrag_reconf(struct ieee80211_elems_parse *elems_parse) 849 { 850 struct ieee802_11_elems *elems = &elems_parse->elems; 851 ssize_t ml_len; 852 853 ml_len = cfg80211_defragment_element(elems_parse->ml_reconf_elem, 854 elems->ie_start, 855 elems->total_len, 856 elems_parse->scratch_pos, 857 elems_parse->scratch + 858 elems_parse->scratch_len - 859 elems_parse->scratch_pos, 860 WLAN_EID_FRAGMENT); 861 if (ml_len < 0) 862 return; 863 elems->ml_reconf = (void *)elems_parse->scratch_pos; 864 elems->ml_reconf_len = ml_len; 865 elems_parse->scratch_pos += ml_len; 866 } 867 868 struct ieee802_11_elems * 869 ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params) 870 { 871 struct ieee80211_elems_parse *elems_parse; 872 struct ieee802_11_elems *elems; 873 const struct element *non_inherit = NULL; 874 u8 *nontransmitted_profile; 875 int nontransmitted_profile_len = 0; 876 size_t scratch_len = 3 * params->len; 877 878 BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0); 879 880 elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len), 881 GFP_ATOMIC); 882 if (!elems_parse) 883 return NULL; 884 885 elems_parse->scratch_len = scratch_len; 886 elems_parse->scratch_pos = elems_parse->scratch; 887 888 elems = &elems_parse->elems; 889 elems->ie_start = params->start; 890 elems->total_len = params->len; 891 892 nontransmitted_profile = elems_parse->scratch_pos; 893 nontransmitted_profile_len = 894 ieee802_11_find_bssid_profile(params->start, params->len, 895 elems, params->bss, 896 nontransmitted_profile); 897 elems_parse->scratch_pos += nontransmitted_profile_len; 898 non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, 899 nontransmitted_profile, 900 nontransmitted_profile_len); 901 902 elems->crc = _ieee802_11_parse_elems_full(params, elems_parse, 903 non_inherit); 904 905 /* Override with nontransmitted profile, if found */ 906 if (nontransmitted_profile_len) { 907 struct ieee80211_elems_parse_params sub = { 908 .mode = params->mode, 909 .start = nontransmitted_profile, 910 .len = nontransmitted_profile_len, 911 .action = params->action, 912 .link_id = params->link_id, 913 }; 914 915 _ieee802_11_parse_elems_full(&sub, elems_parse, NULL); 916 } 917 918 ieee80211_mle_parse_link(elems_parse, params); 919 920 ieee80211_mle_defrag_reconf(elems_parse); 921 922 if (elems->tim && !elems->parse_error) { 923 const struct ieee80211_tim_ie *tim_ie = elems->tim; 924 925 elems->dtim_period = tim_ie->dtim_period; 926 elems->dtim_count = tim_ie->dtim_count; 927 } 928 929 /* Override DTIM period and count if needed */ 930 if (elems->bssid_index && 931 elems->bssid_index_len >= 932 offsetofend(struct ieee80211_bssid_index, dtim_period)) 933 elems->dtim_period = elems->bssid_index->dtim_period; 934 935 if (elems->bssid_index && 936 elems->bssid_index_len >= 937 offsetofend(struct ieee80211_bssid_index, dtim_count)) 938 elems->dtim_count = elems->bssid_index->dtim_count; 939 940 return elems; 941 } 942 EXPORT_SYMBOL_IF_KUNIT(ieee802_11_parse_elems_full); 943 944 int ieee80211_parse_bitrates(enum nl80211_chan_width width, 945 const struct ieee80211_supported_band *sband, 946 const u8 *srates, int srates_len, u32 *rates) 947 { 948 u32 rate_flags = ieee80211_chanwidth_rate_flags(width); 949 struct ieee80211_rate *br; 950 int brate, rate, i, j, count = 0; 951 952 *rates = 0; 953 954 for (i = 0; i < srates_len; i++) { 955 rate = srates[i] & 0x7f; 956 957 for (j = 0; j < sband->n_bitrates; j++) { 958 br = &sband->bitrates[j]; 959 if ((rate_flags & br->flags) != rate_flags) 960 continue; 961 962 brate = DIV_ROUND_UP(br->bitrate, 5); 963 if (brate == rate) { 964 *rates |= BIT(j); 965 count++; 966 break; 967 } 968 } 969 } 970 return count; 971 } 972